Flax Typhoon's ArcGIS Backdoor: Why EDR Failed and How NDR Finds the Webshell

According to a new report from Reliaquest, the China-backed advanced persistent threat (APT) group Flax Typhoon, also known as Ethereal Panda (Crowdstrike) and RedJuliett (Recorded Future), maintained year-long access to an ArcGIS system by turning trusted software into a persistent backdoor.

This attack did not exploit an unpatched vulnerability; instead, the attackers executed an act of camouflage, turning the victim’s own tools against them to establish cyber espionage and long-term, persistent access.

How Flax Typhoon Weaponized Trust

The reason this espionage campaign succeeded for over a year is simple: Flax Typhoon weaponized the concept of trust. They employed techniques known as Living-Off-The-Land (LotL) to make their spy software look like essential business infrastructure.

The Evasion of Endpoint and Log-Based Tools

The attackers successfully bypassed both endpoint detection and response (EDR) and avoided generating alerts within the security information and event management (SIEM) tool by corrupting a legitimate application file: a Java Server Object Extension (SOE) belonging to the ArcGIS Server.

The attackers modified the SOE’s code to function as a stealthy web shell that accepted remote base64-encoded commands via the public-facing REST interface.

[Call-out] When EDR tools see a vendor-signed file running normally and the SIEM processes logs from a trusted, approved application, security tools register the activity as expected behavior, effectively granting the hackers a free pass for their initial command execution.

After gaining initial access through the administrator credentials, the adversary leveraged the compromised SOE (webshell) for execution, immediately running reconnaissance commands, mapping the internal network, and targeting IT staff workstations for credential harvesting.

The Invisible Command Center

To maintain remote control after gaining the initial foothold, the hackers went further, expertly disguising their communication channel as routine network activity.

For persistent Command-and-Control (C2), the adversary installed the legitimate SoftEther VPN client. They often renamed the executable, using naming conventions like bridge.exe, and placed it in the highly trusted Windows System32 directory to masquerade it as a normal system process.

In these instances, the command-and-control (C2) traffic remains undetected because it is routed as VPN-over-HTTPS on the standard web port (443). Firewalls and monitoring tools, expecting benign web traffic, fail to recognize that a persistent, covert, and proprietary network tunnel is hiding inside that encryption layer.

A Long-Term Foothold

Flax Typhoon’s persistence plan defeated the victim’s internal recovery strategy and to lock out any potential rivals.

To ensure exclusive control, they established a hard-coded key within the webshell, preventing other threat actors, or internal administrators, from tampering with their access. Because the corrupted SOE was part of the core installation, the malicious code remained in the victim’s routine system backups. This meant the organization’s own recovery procedure became the hacker’s re-infection mechanism, guaranteeing persistent access regardless of system restoration efforts.

The methods Flax Typhoon used are part of a growing trend among nation state adversaries that attempt to compromise the supply chain.

For instance, the ArcaneDoor campaign that targeted Cisco ASA devices also involved manipulating low-level firmware for persistence. Similarly, Volt Typhoon systematically used LotL techniques to hide within critical infrastructure, exploiting legitimate Windows binaries and network tunnels to avoid detection.

MITRE ATT&CK TTPs

Indicators of Compromise

Building Resilience with Network Detection and Response (NDR)

Detecting modern advanced persistent threats (APTs) means shifting the security focus from what is on the host (files/logs) to how the host behaves on the network. This behavior is precisely where LOTL threats, like the Flax Typhoon webshell, betray their malicious intent. The ExtraHop NDR platform is engineered to expose these stealthy LotL techniques by monitoring the core network activities that firewalls and EDR might fail to log or detect.

Detection of Covert C2 Tunnels

ExtraHop uses advanced behavioral analysis and machine learning to profile expected traffic patterns. It instantly detects anomalies such as a geo-mapping server suddenly initiating a persistent, non-browser-based VPN tunnel over HTTPS (SoftEther), exposing the structural anomalies that firewalls ignore.

Lateral Movement Visibility

Once inside, the adversary attempts to move laterally and hunt for credentials. ExtraHop provides full east-west visibility by decoding encrypted protocols like Kerberos, NTLM, and MSRPC. This allows the platform to flag unauthorized reconnaissance or connections from a compromised ArcGIS server to IT staff workstations, including network service scanning used to map the internal environment.

Identity-Driven Alerting

ExtraHop correlates all anomalous network activity back to the compromised administrator account used for initial access. This allows security teams to rapidly pivot from "suspicious traffic" to "Compromised ArcGIS Admin Account activity," shrinking the Mean Time To Respond (MTTR) and enabling surgical isolation of the threat actor.

Shift Defense to the Network

The Flax Typhoon attack delivers a clear message: Building defenses around a security perimeter is a failing strategy. Organizations’ EDR and SIEM tools will likely miss threats when the adversary's primary weapon is your own trusted application code. Building cyber resilience requires shifting defense to the network itself.

By detecting the consequences of a compromise, including covert C2 tunnels, suspicious encrypted traffic flows, and unauthorized lateral movement, ExtraHop helps to ensure that even if a valid account is breached, the attacker's activities are immediately exposed. In an era where every major enterprise is a target, NDR is the foundational requirement for continuous threat hunting and eviction, helping organizations observe, stop, and permanently remove the spies hiding within your systems.